Patch Analysis for March 2006

This Month's Security Updates from Microsoft

Microsoft released 2 security bulletins today, one that affects Office and another that impacts certain Windows versions that have weak permissions defined for certain services. For full details see below.

On Windows XP pre-SP2 and Windows Server 2003 pre-SP2 the default permissions for a number of system services allow a non-administrative user write access to certain properties that would allow the attacker to elevate their privileges to administrator level apparently by pointing the service to a specially written executable that would exploit the administrator level authority under which the service runs to do the attacker's bidding. As an elevation of privilege risk that requires a valid logon I don't regard this as critical to load except on sensitive servers where you've already made a full hardening effort or on workstations where you are committed to preventing end-users from gaining administrator access to their own workstation. Terminal Services servers delivering applications to end-users should receive this patch to prevent end-users from gaining administrator access to the server. At the same time, this patch presents low risk to stability since it makes no updates to executable files, it simply strengthens the ACL on ssdpsrv, netbt, upnphost, scardsvr, dhcp and dnscache services. Unless you have an automated process running as an unprivileged account updating these services the patch probably won't be noticeable.
This patch again demonstrates the dividend gained by staying up-to-date with the latest service pack since up-to-date Windows 2000, 2003 and XP systems are immune.

This security update patches a number of vulnerabilities associated with various Office and MS Works programs and you should be concerned if you have systems with Office 2000, XP, 2003 or MS Works Suite 2000-2006, Excel Viewer
2003 or even Excel for Mac. These vulnerabilities allow an attacker to run arbitrary code on remote systems where he is successful in getting the user to open a specially formed Office document through email attachment, download from webpage and similar vectors. Since information on how to exploit some of the vulnerabilities in this patch are already public, I recommend loading this patch on all vulnerable systems as soon as possible after basic testing in your environment.

Bulletin

Exploit Types/Technologies Affected

System Types Affected

Exploit details public? / Being exploited?

Comprehensive, practical workaround available?

MS severity rating

Products Affected

Notes

Randy's recommendation

MS06-012

905413

Arbitrary code

/ Office

Workstations Terminal Servers

Yes/No

No

Critical

Office 2000 Office XP Office 2003 Office 2004 for Mac Works 2005 Works 2004 Works 2006 Office X for Mac Office 2002 Works 2000 Works 2001 Works 2002 Works 2003

I recommend loading this patch on all vulnerable systems after testing.

MS06-011

914798

Privilege elevation

/ Windows

Workstations Terminal Servers

Yes/No

No

Important

XP Server 2003 Small Business Server 2003

Terminal Services servers delivering applications to end-users should receive this patch to prevent end-users from gaining administrator access to the server.

As an elevation of privilege risk that requires a valid logon I don’t regard this as critical to load except on sensitive servers where you’ve already made a full hardening effort or on workstations where you are committed to preventing end-users from gaining administrator access to their own workstation.

Receive Randy's same-day, independent analysis each Patch Tuesday

Email:
We will not share your address. Unsubscribe anytime.

"Thank you. I am very glad I subscribed to this newsletter.
Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft
Security Bulletins. Do you keep old copies? If yes, please let me know how I can
access them?"

"Really appreciate your patch observor. In the corporate
IT world, anything we can get our hands on that speeds the process of analyzing
threats and how they may or may not apply to our environments is a God-send.
Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the
table. There are so many sources of patch information which can be very specific
or surrounded by other stuff that it’s refreshing to get everything summarised
like this. The “Randy’s Recommendation” comment is useful starting point too.
Please keep up the good work."

- David A.

"Your Patch Observer is a very good tool in
making the decision whether to patch or not to patch. And also to patch asap or
to wait a while before patching. Also I do think the use of the table is realy
improving the readability of the provided information."